Due Diligence Survey "*" indicates required fields Step 1 of 14 7% General InformationFull Legal Name of the Company*Address* Street Address Address Line 2 City State / Province / Region ZIP / Postal Code AfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBonaire, Sint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos IslandsColombiaComorosCongoCongo, Democratic Republic of theCook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzechiaCôte d'IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatiniEthiopiaFalkland IslandsFaroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHoly SeeHondurasHong KongHungaryIcelandIndiaIndonesiaIranIraqIrelandIsle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea, Democratic People's Republic ofKorea, Republic ofKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesiaMoldovaMonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth MacedoniaNorthern Mariana IslandsNorwayOmanPakistanPalauPalestine, State ofPanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRussian FederationRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint MartinSaint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint MaartenSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSyria Arab RepublicTaiwanTajikistanTanzania, the United Republic ofThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUS Minor Outlying IslandsUgandaUkraineUnited Arab EmiratesUnited KingdomUnited StatesUruguayUzbekistanVanuatuVenezuelaViet NamVirgin Islands, BritishVirgin Islands, U.S.Wallis and FutunaWestern SaharaYemenZambiaZimbabweÅland Islands Country Website* Phone*Email* Description of Service* Supply ChainPlease upload evidence of the latest due diligence report or audit you conducted on your critical suppliers/third parties*Max. file size: 50 MB.Please upload the risk assessment procedure for assessing third parties*Max. file size: 50 MB.Please upload a list of suppliers that support delivery of service to FXSpotStream*Max. file size: 50 MB. Internal & External Fraud RiskDoes your company apply any of the following management fraud preventative controls?* Sound corporate governance controls Effective oversight, segregation of duties or management control Robust standards, qualification and background checks for appointing senior managers Strong independent audit committee with extensive oversight Transparent accounting, reporting and audit standards Periodic external audit on account statements and financial position of the company Rewards / bonuses not being directly linked to directors' performance or targets achievement Please select all that applyDoes your company have a computerised payroll system that is able to detect the following anomalies?* Employees with the same name Payments to the same bank account for different employees Payments to individuals who are no longer employed by the company Unusually high overtime payments Unauthorised increases to salaries The use of emergency tax codes Does your company ensure the following controls are put in place to safeguard from corporate identity fraud? Checking the company's registered details at the national registry or equivalent database, on a regular basis* Reviewing the company's credit report for discrepancies on a regular basis Arranging for mail to be redirected (for at least within a consistent timeframe) if the company moves business premises and notify vendors, customers and other partners of the change of address If no mail is being received, checking with local mailing services to ensure that a redirection hasn't been set up in the company's name without prior knowledge Securely destroying all confidential and sensitive business information, including company letterhead Regularly check the company’s registered details and sign up for any services offered by the relevant government agency to protect the business information The company’s bank account details are not publicly disclosed on any website Data ProtectionDoes your company have a conduct breach management and reporting process?* Yes No Does your conduct, breach management and reporting process contain anti-retaliation provisions?* Yes No Which of the following provisions does your conduct, breach management and reporting process contain?* Process to immediately suspend any employee suspected of fraud Investigation Process Informal Warning Formal Warning Formal Disciplinary Procedure None of the above Do you make a Data Processing Addendum available to your Data Controller clients?* Yes No Do your employee and contractor contracts and/or your company handbook detail your policies with regard to your specific expectations in relation to data protection, privacy and security?* Yes No Have these policies been updated to reflect the additional requirements under the GDPR and DPA 2018?* Yes No How frequently is your personnel trained on how to process, keep private and secure the data you deal with according to the policies set out in your contracts and/or handbook?* Annually Semi-Annually Quarterly What levels of cover does your current insurance portfolio provide for?* Professional Indemnity Data Breach/Forensic Investigation Costs Crisis Containment/Reputational Damage Costs Business Interruption Breach Liabilities from Data Subjects Is there a "Cyber-Insurance" policy in place?* Yes No Are you aware of ever having suffered a data breach?* Yes No Do you maintain a Data Breach Register?* Yes No Describe your software and operating system patching policy*Describe your device AND network password policy* Digital Data that you store on behalf of the ControllerPlease answer the below* If you store and secure digital data on behalf of the controller (i.e. Cloud platform, Cloud storage, Payroll provider, Accountants), please answer all questions in Section A If you store and secure non-digital records on behalf of the controller (i.e. External document storage, Financial records) All questions in Sections B and C If you have access to the data controller’s data (i.e. Website developer ,IT services, Software support), please answer all questions in Section C only Section AWhat systems, policies, procedures and audit facilities have been implemented to detect a data breach or unauthorized access to The Controller's data?*What processes do you have in place for reporting to The Controller a data breach relating to The Controller's data?*Do you encrypt The Controller's data 'at rest'? If so, when is it decrypted?*If The Controller's data is transferred, what encryption, or equivalent security measure, is deployed when the data is 'in transit'?*What Remote Access facilities that could be used to directly or indirectly gain access to the server or device upon which The Controller’s data is stored do you make available for staff and 3rd parties?*Describe the backup policy RELATING TO The Controller’s data?*Section BPlease describe where the controller’s data (including archives and or backups, if relevant) are physically and geographically stored*Do you maintain records of processing activities? If so, could, upon suitable request, access to these be provided to the Controller?*Do you transfer, sell, rent, or by any means share or disseminate, The Controller’s data to any third party? if so, to whom, when, why and on what lawful basis?*If The Controller’s data is transferred, do you have provisions within the contracts with each of these parties or a specific Data Processing Addendum to cover The Controller’s expectations on them as a sub-processor to protect The Controller’s data?*If The Controller receives a Subject Access Request (SAR) from a Data Subject, what mechanisms do you have available to support The Controller to provide the data subject with a record of all the processing activities and information collectively stored on them?*What retention policy do you apply to The Controller’s data? i.e. How long do you keep it (and any archives or backups) after processing has been completed, how and when is it destroyed and by whom?*If The Controller’s data is archived, on what basis is it archived and where is the archive stored?*Section CDescribe who has permission to access and view The Controller’s data, both internally and externally and why.*How is access to The Controller’s data logged and controlled?*Are you aware of any of The Controller’s data being incomplete, outdated or wrong?* FinancialOwnership StructureCapital Table of the Company*Accepted file types: pdf, doc, docx, Max. file size: 50 MB.Please attachInstitutional Investors Details*NameSeries/Round% HoldingFunds RaisedType of Investors Add Remove(If Any)Internal Investors Details*NameTitle% Holding Add RemoveNumber of Total Employees* 0-49 50-499 500+ Management ('C' Level)*Name (s)Title Add Remove% of Recurring Revenue*Number of Customers*% of Revenue from top 10 customers*What percentage of your revenue comes from LiquidityMatch's (incl. subsidiaries') business*Percentage of Accounts Receivable over 180 days*Names of a few top customers* Add RemoveIP is Company Owned or Individual Owned. If Individual Owned, please describe* Company Owned Individual Owned Please describe*Any Material Lawsuits pending/IP Related disputes?* Yes No Financials*Max. file size: 50 MB.Income Statement, Balance Sheet, Cash Flow StatementLast 2 Fiscal Year Audited Financial Reports*Max. file size: 50 MB.Please attach full report, including notesForecast for current fiscal year*Revenue, EBITDA, EBIT, Net Income Amount in MillionsAuditor*Name of AuditorAuditor Opinion Add RemoveCurrent Liquidity*Cash & Cash Equivalents*Amount in USD MillionsAs of:* MM slash DD slash YYYY Bank/Credit Line*UsedAvailableBankDescription Add RemoveDebt*Short TermLong TermMaturity/RepaymentInterestCovenantsBank Add Remove SecurityAre all security policies reviewed and/or updated annually, or when significant changes occur under legal, business, org or technical circumstances?* Yes No Does the organization's management ensure that the information security policy is aligned with strategy and communicated effectively to the entirety of the organization?* Yes No Is there documentation around the secure configuration of end-user devices?* Yes No Are penetration tests performed on a regular basis against the organization?* Yes No Business ContinuityDoes your company have a documented Business Continuity Policy?* Yes, not willing to upload document but will describe Yes, willing to upload document No Please upload*Max. file size: 50 MB.Does your company's Business Continuity Plan include the following?* Roles and responsibilities clearly defined Training on this process at least annually for staff who have business continuity and incident response responsibilities An established crisis/incident management protocol, with clearly defined roles and escalation paths A communication protocol to inform your clients of any incidents impacting your services Processes/plans in place for responding to incidents which impact the service Business Impact Assessments (BIA) for the products or services you will provide/Business operations (i.e. not IT systems) required for delivery of the products or services None of the above Please select all that applyDoes your company have a Business Continuity Plan for the services provided to FXSpotStream?* Yes, not willing to upload document but will describe Yes, willing to upload document No File*Max. file size: 50 MB.Does your company's Business Continuity Plan include the following?* Disruption to availability of staff undertaking the business operation whether temporary or permanent Disruption to any subcontracted suppliers you have a reliance on in order to provide your service to us Disruption to the premises for any reason where any business operations are performed Disruption to your company's applications systems or data (including denial of access or corruption) either due to technology failure or cyber threats Controls to detect and prevent data corruption Controls to detect and alert incidents in advance of any impact to customers Communication strategies None of the above Please select all that applyWhat is your Recovery Time Objective (RTO) within the Business Continuity Plan?*Is your Business Continuity Plan presented to a risk governance committee for approval?* Yes No Does your Business Continuity Plan identify key business or critical functions?* Yes No Does your Business Continuity Plan identify dependencies between key function and/or critical third party services?* Yes No What is your Recovery Point Objective (RPO) within the Business Continuity Plan?*How many months are in between your Business Continuity Reviews? (In Months)* 1-3 months 4-6 months 7-9 months 10-12 months 12-18 months 19+ months Never How many months are in between tests of your Business Continuity Plan?* 1-3 months 4-6 months 7-9 months 10-12 months 12-18 months 19+ months Never Do you have a recent documented report of findings for a Business Continuity Test?* Yes, not willing to upload document but will describe Yes, willing to upload document No Please describe*Please upload*Max. file size: 50 MB.Do you have controls to detect and alert incidents in advance of any impact to customers?* Business Hours Only 24/7 Alerts No N/A Describe contingency arrangements in place to limit the effects of a downtime/failure during a continuity event?*Do you conduct root cause analysis following a business continuity event?* Yes No Do you track completion of corrective action plans?* Yes No Are there any open corrective actions related to the services being provided to FXSpotStream?* Yes No Physical SecurityIs entrance to any organization facilities controlled?* Yes No Is there a physical security program maintained by the organization?* Yes No Is physical security regularly tested?* Yes No Does the organization have a clearly identified responsibilities for asset protection and information security processes?* Yes No Disaster RecoveryDo you have a documented IT Disaster Recovery Policy?* Yes, not willing to upload document but will describe Yes, willing to upload document No Please upload*Max. file size: 50 MB.Which of the following does your IT Disaster Recovery Policy include?* Clearly defined roles and responsibilities Training requirements for all applicable personnel List of all critical infrastructure, systems and networks List of all critical vendors relating to IT systems None of the above Do you currently have a documented IT Disaster Recovery Plan?* Yes, not willing to upload document but will describe Yes, willing to upload document No Please upload*Max. file size: 50 MB.Which of the following does your IT Disaster Recovery Plan include?* Emergency response processes clearly defined Backup operations clearly defined Recovery start up procedures clearly defined Disaster recovery checklist None of the above How many months are there between tests of your IT Disaster Recovery Plan?* 1-3 months 4-6 months 7-9 months 10-12 months 12-18 months 19+ months Never Please give the date of your last Disaster Recovery Test* MM slash DD slash YYYY Do you have a copy of your latest Disaster Recovery Test results?* Yes No Describe the result findings*Was an action register created and completed to address all findings with clear ownership responsibilities?* Yes No Are any findings related to the services provided to FXSpotStream still open?* Yes No Have you defined your Recovery Time Capability (RTC) for Data Centre Failover?* 0-2h 2-4h 4-8h 8-12h 12-24h +24h Have you defined your Recovery Point Capability (RPC) for Data Centre Failover?* No loss 15-30 min 30-60 min +60 min If your IT disaster recovery test results in a failure, is it retested within 3 months?* Yes No Does your company normally operate to planned Maximum Period of Tolerable Disruption (MPTD) for its business operations?* Yes No Does your company have geographically-separated primary and secondary data centres with identical infrastructure, hardware and software environments, or a cloud native organization utilizing multiple availability zones?* Yes No How many miles are there between your primary and secondary data centers?*Please confirm that any subcontracted suppliers have business continuity arrangements in place to prevent disruption to the delivery of your products or services to FXSpotStream* Yes No Please select which of the following ANSI/TIA-942 standards apply to the data centre your company uses for hosting your client's data* Tier 1 Tier 2 Tier 3 Tier 4 No standard Does the data centre have a UPS (Uninterrupted Power Supply) and back-up power generator installed?* Yes No Are UPS and generators tested at least annually?* Yes No Is the disaster recovery environment capable of running until the production environment is restored?* Yes No Does your disaster recovery environment provide the same capacity and performance of your production environment?* Yes No Does your company undertake incident root cause analysis and trend analysis?* Yes No Are controls in place to detect applications, systems or processes from reaching or exceeding capacity thresholds?* Yes No People RiskDoes induction training include the following?* Conflicts of Interest Training Data Privacy Training Information Security Training Health & Safety Training Fraud Training Anti-Bribery Training Anti-Money Laundering Training None of the above Are pre-employment vetting checks undertaken for all employees?* Yes No PersonnelAre information security personnel responsible for the overall security of the organization?* Yes No Are security personnel outsourced or internal?* Yes No Do security personnel maintain contact with 3rd parties related to security specialties, such as websites, forums and/or professional associations?* Yes No Is access to the server room/data centre/asset lockers controlled via separate security controls?* Yes No Are the organizations servers located in a data centre?* Yes No Is access to all workstations/laptops controlled by user names and passwords?* Yes No What methods of protection from unauthorised access do you use to secure your network and or devices?* Yes No Are users' access rights reviewed on a regular basis?* Yes No Are inactive users disabled and/or deleted after a defined period of time?* Yes No Change ManagementAre IT operations regulated by a change control process?* Yes No Is security involved when a change is performed on any of the organizations' IT systems?* Yes No If applicable, do code changes go through a risk assessment?* Yes No Is access to source code libraries logged and monitored?* Yes No Is source code analyzed for vulnerabilities?* Yes No PatchingAre vulnerabilities remediated before production?* Yes No Do applications used by the organization log to a level sufficient to assist in investigation in response to an incident?* Yes No Are laptops/workstation/phones used to transmit or process client data?* Yes No Are personnel allowed to utilize mobile or BYOD devices on the organization's production/main network?* Yes No Are any and all personnel accessing the organization's network required to sign an acceptable use agreement?* Yes No Are there security hardening standards for network devices?* Yes No Do network devices log events at a level of data sufficient to support an investigation?* Yes No Is the organization's network sufficiently segmented to separate sensitive systems from non-sensitive systems?* Yes No Is anti-malware software deployed on all Windows and Apple systems in use on the production network?* Yes No Are network vulnerability scans performed across the entirety of the management network, including internal and external?* Yes No Are servers and workstations regularly patched for functional and security issues?* Yes No Is there a defined standard for all server builds?* Yes No Are deviations from the standard server build documented by the organization?* Yes No Δ Ready to expand your FX and Precious Metals to multiple banks with a single API or GUI? Get Started Now
